mrts/generate-ssl-cert-for-webserver.bash

## generate-ssl-cert-for-webserver.bash
set -e
set -u

CERT_HOSTNAME=www.example.com

# create private CA key

openssl genrsa -out $CERT_HOSTNAME-CA.key 2048

# create private CA certificate

openssl req \
  -x509 \
  -nodes \
  -new \
  -key $CERT_HOSTNAME-CA.key \
  -out $CERT_HOSTNAME-CA.crt \
  -subj /CN=$CERT_HOSTNAME-ROOT-CA \
  -sha256 \
  -days 3650

# create webserver key

openssl genrsa -out $CERT_HOSTNAME.key 2048

# assure subject alternative name is set to hostname, Chrome >= v58 requires this

(cat /etc/ssl/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:$CERT_HOSTNAME") > /tmp/$CERT_HOSTNAME-openssl.cnf

# create webserver certificate signing request

openssl req \
  -new \
  -key $CERT_HOSTNAME.key \
  -out $CERT_HOSTNAME.req \
  -subj /CN=$CERT_HOSTNAME \
  -reqexts SAN \
  -extensions SAN \
  -config /tmp/$CERT_HOSTNAME-openssl.cnf

# create webserver certificate by signing the certificate signing request

openssl x509 \
  -req \
  -in $CERT_HOSTNAME.req \
  -out $CERT_HOSTNAME.crt \
  -CA $CERT_HOSTNAME-CA.crt \
  -CAkey $CERT_HOSTNAME-CA.key \
  -CAcreateserial \
  -CAserial $CERT_HOSTNAME-CA.serial \
  -extensions SAN \
  -extfile /tmp/$CERT_HOSTNAME-openssl.cnf \
  -sha256 \
  -days 3650

# copy the certificates and keys to a safe system location

sudo mkdir -p /etc/ssl/$CERT_HOSTNAME
sudo mv -i *.key /etc/ssl/$CERT_HOSTNAME
sudo mv -i *.crt /etc/ssl/$CERT_HOSTNAME
sudo mv -i *.serial /etc/ssl/$CERT_HOSTNAME
sudo chgrp ssl-cert /etc/ssl/$CERT_HOSTNAME/*.key
sudo chmod 640 /etc/ssl/$CERT_HOSTNAME/*.key

# install the CA certificate to system certificate store

cd /usr/local/share/ca-certificates/
sudo ln -sf /etc/ssl/$CERT_HOSTNAME/*-CA.crt .
sudo update-ca-certificates
	set -e
	set -u

	CERT_HOSTNAME=www.example.com

	# create private CA key

	openssl genrsa -out $CERT_HOSTNAME-CA.key 2048

	# create private CA certificate

	openssl req \
	-x509 \
	-nodes \
	-new \
	-key $CERT_HOSTNAME-CA.key \
	-out $CERT_HOSTNAME-CA.crt \
	-subj /CN=$CERT_HOSTNAME-ROOT-CA \
	-sha256 \
	-days 3650

	# create webserver key

	openssl genrsa -out $CERT_HOSTNAME.key 2048

	# assure subject alternative name is set to hostname, Chrome >= v58 requires this

	(cat /etc/ssl/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:$CERT_HOSTNAME") > /tmp/$CERT_HOSTNAME-openssl.cnf

	# create webserver certificate signing request

	openssl req \
	-new \
	-key $CERT_HOSTNAME.key \
	-out $CERT_HOSTNAME.req \
	-subj /CN=$CERT_HOSTNAME \
	-reqexts SAN \
	-extensions SAN \
	-config /tmp/$CERT_HOSTNAME-openssl.cnf

	# create webserver certificate by signing the certificate signing request

	openssl x509 \
	-req \
	-in $CERT_HOSTNAME.req \
	-out $CERT_HOSTNAME.crt \
	-CA $CERT_HOSTNAME-CA.crt \
	-CAkey $CERT_HOSTNAME-CA.key \
	-CAcreateserial \
	-CAserial $CERT_HOSTNAME-CA.serial \
	-extensions SAN \
	-extfile /tmp/$CERT_HOSTNAME-openssl.cnf \
	-sha256 \
	-days 3650

	# copy the certificates and keys to a safe system location

	sudo mkdir -p /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.key /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.crt /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.serial /etc/ssl/$CERT_HOSTNAME
	sudo chgrp ssl-cert /etc/ssl/$CERT_HOSTNAME/*.key
	sudo chmod 640 /etc/ssl/$CERT_HOSTNAME/*.key

	# install the CA certificate to system certificate store

	cd /usr/local/share/ca-certificates/
	sudo ln -sf /etc/ssl/$CERT_HOSTNAME/*-CA.crt .
	sudo update-ca-certificates